The Reserve Bank has gained the high-ground against Accellion, after the bank's US technology partner refused to challenge RBNZ's version of events.
Yesterday, RBNZ Governor Adrian Orr alleged Accellion had dragged its feet alerting the banks and other clients about a vulnerability with its FTA file-sharing service - which led to sensitive documents being stolen.
"We had no warning to avoid the attack which began in mid-December. Accellion failed to notify the Bank for five days that an attack was occurring against its customers around the world, and that a patch was available that would have prevented this breach," Orr said.
Orr's timeline ran contrary to a January 12 statement by Accellion, which said created a patch and sent it to all affected clients within 72 hours.
Five days? Or 72 hours? One narrative must be wrong. The Herald asked Accellion for comment on Orr's five-day claim, and also to clarify if it notified clients immediately it detected a serious security vulnerability, or only after it had developed a patch?
Accellion communications director Robert Dougherty did not address any of those points directly, instead sending the general statement:
"Accellion is conducting a full assessment of the FTA data security incident with an industry-leading cybersecurity forensics firm.
"We will share more information once this assessment is complete.
"For their protection, we do not comment on specific customers. We are working with all impacted FTA clients to understand and mitigate any impact of this incident, and to migrate them to our modern kiteworks content firewall platform as soon as possible."
It was not clear how commenting on the Reserve Bank's timeline - which it had already chosen to make public - would compromise its security.
Yesterday, Orr said:"If we were notified at the appropriate time, we could have patched the system and avoided the breach. Our own analysis has identified shortcomings in our processes once the system was breached. The impact this had is part of the review underway."
RBNZ not off the hook
But although the RBNZ Governor now appears to have the upper hand over how events unfolded in December, there are broader timeline questions that will have to be resolved by an investigation currently underway by KPMG.
They include why the RBNZ had not acted faster on a May 2020 report by the bank's chief information officer, Scott Fisher, warned there was "high operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms".
Also why the RBNZ was still using a 20-year-old Accellion file-sharing service called FTA, when for the US company had been encouraging customers to upgrade to a more secure alternative, Kiteworks, for four years. Kiteworks was referenced in Fisher's report.
Orr also said yesterday that the RBNZ has completed its assessment of the files illegally downloaded during the breach and is notifying organisations involved.
External legal advisers are also providing assurance checks and advice on any personal information which was included in the downloaded files.
"For security reasons, we can't provide specific details about the number of files downloaded, or information they contain. We have been in regular communication with all organisations who have had files illegally downloaded," Orr said.
"As a priority, we have engaged with the organisations whose files contained sensitive information, to support them and assist in managing the impact on their customers and staff.
"We are working directly with these organisations to determine how many people had sensitive personal information compromised and we will ensure they are well supported."
"The Bank has engaged a specialist national identity and cyber support service IDCARE, to provide advice and support to people affected by the breach at no cost to them. We continue to work closely with the Office of the Privacy Commissioner."